mikrotikMalware Patrol provides a Mikrotik-compatible version of our Enterprise Malicious IPs and Malicious Domains data feeds.

MikroTik is a Latvian company founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. Our experience in using industry standard PC hardware and complete routing systems allowed us in 1997 to create the RouterOS software system that provides extensive stability, controls, and flexibility for all kinds of data interfaces and routing.”

You can follow these simple steps to configure your Mikrotik to filter malicious IPs and/or domains to protect your network, computers, and users from getting infected by malware and ransomware. This includes IPs and domains derived from C2s, DGAs and URLs hosting malware and ransomware binaries.

1) You will need the username and password provided to you by Malware Patrol. If you are evaluating, this will be your evaluation portal credentials. If you are a customer, you will use your account login details and portal URL.

2) Execute the following commands in Mikrotik’s CLI:

Malicious Domains

/system script  add name=”MP_UpdateMaliciousDomains” owner=”admin” policy=ftp,read,write dont-require-permissions=no source={
/tool fetch url=”https://_username_:_password@eval.malwarepatrol.net/feeds/files/MP_malicious_domains.mikrotik.rsc” mode=https

/ip firewall address-list remove [find where comment=”MP_Malicious_domain”]
/import file-name=MP_malicious_domains.mikrotik.rsc ;
}

/ip firewall filter add chain=forward action=drop protocol=tcp dst-address-list=MP_MaliciousDomains log=yes log-prefix=”Blocked_by_MP_MaliciousDomains”

/system scheduler add name=MP_UpdateMaliciousIPsFeed interval=1h on-event=MP_UpdateMaliciousIPs owner=admin policy=ftp,read,write

Malicious IPs

/system script add name=”MP_UpdateMaliciousIPs” owner=”admin” policy=ftp,read,write dont-require-permissions=no source={
/tool fetch url=https://_username_:_password@eval.malwarepatrol.net/feeds/files/MP_malicious_ips.mikrotik.rsc mode=https

/ip firewall address-list remove [find where list=MP_MaliciousIPs]
/import file-name=MP_malicious_ips.mikrotik.rsc;
}

/ip firewall filter add chain=forward action=drop protocol=tcp dst-address-list=MP_MaliciousIPs log=yes log-prefix=”Blocked_by_MP_MaliciousIPs”

/system scheduler add name=MP_UpdateMaliciousDomainsFeed interval=1h on-event=MP_UpdateMaliciousDomains owner=admin policy=ftp,read,write

The code above will create a script that downloads and updates the Malicious IPs and/or Malicious Domains list. The system scheduler portion will schedule the download and update processes to happen on an hourly basis. We advise this frequency because our lists are updated every hour.

If you encounter any difficulties during the configuration process, feel free to contact our tech support at support (@) malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

Share this post: